MongoDB Create Database Username Password to Secure Data

Have a Database Problem? Speak with an Expert for Free
Get Started >>

Introduction

As long as the Mongodb database port is open on your server any computer can connect to your database and modify, read, or delete your MongoDB data. This article is about MongoDB creating a database username and password which will allow you to secure your data.

Mongodb Enable Authentication

MongoDB is directly connected by default, no authentication is required. If the current computer can access the public network and ignore the open state of the Mongodb port (the default is 27017), Mongodb creates a security risk and can be used to invade the database.

Read Also: Learn How to secure MongoDB Community Version Using Authentication (https://kb.objectrocket.com/mongo-db/learn-how-to-secure-mongodb-community-version-using-authentication-part-3-489)

If you need to use security authentication for your MongoDB database, you must use auth to enable security auditing. Only users with database authentication can read, write, and verify account security.

How to Create Database in MongoDB?

The MongoDB syntax for creating a database is as follows:

1
use DATABASE_NAME

If the database does not exist, create a database, otherwise switch to the specified database.

Example: In the following example, we created the database Objectrocket:

1
2
3
4
5
> use objectrocket
switched to db objectrocket
> db
objectrocket
>

If you want to see all the databases, you can use the show dbs command:

1
2
3
4
5
> show dbs
admin   0.000GB
config  0.000GB
local   0.000GB
>

As you can see, the newly created Objectrocket database is not included in the list of databases. To show it, we need to put some data in the objectrocket database.

1
2
3
4
5
6
7
> db.objectrocket.insert({"name":" objectrocket  Tutorial"})
WriteResult({ "nInserted" : 1 })
> show dbs
admin   0.000GB
config  0.000GB
local   0.000GB
objectrocket  0.000GB

The default database in MongoDB is test. If you do not create a new database, the collection is stored in a test database.

Note: In MongoDB, collections are created only after inserting content! That is, after creating a collection (data table), a document (record) is inserted and actually a collection is created.

MongoDB Create Database Username Password

In this section I will guide you through creating a database username and password so that you can protect your data. Here are the steps to take for creating username and password.

Vulnerable Environment

  • Run Mongodb with Mongod standard command
  • Access to the device is possible via the public network.
  • Open the port of Mongodb in the public network

Security Risk

  • Database privacy leak
  • Database deleted
  • The database is slow

Solutions

  • Prohibit public network access to Mongodb port
  • Network configuration – Because network configuration varies from person to person, it must be configured for the actual environment and no redundancy is required. On the following aspects it may be prohibited.
    • Disable port forwarding in the router
    • Iptables Firewall forbidden access Verify how the port can be accessed Run the external network from the machine’s command line
      telnet your.machine.open.ip 27017

Verify how the port can be accessed

Run the external network from the machine’s command line:

1
telnet your.machine.open.ip 27017

Enable Verification

Create a user administrator account Current database version: Mongodb 3.4 Start database with Mongod New terminal:

1
mongod --port 27017 --dbpath /data/db1

By default, parameters can be added. If custom parameters exist, they must be added.

In another terminal, run the following command.

1
2
3
4
5
6
7
8
9
10
11
mongo --port 27017

use admin

db.createUser(
  {
    user: "admin",
    pwd: "Password",
    roles: [ { role: "userAdminAnyDatabase", db: "admin" } ]
  }
)

The administrator was created successfully and now has a user administrator. Username: admin Password: password Then disconnect the Mongodb connection, and close the database. You can do this by hitting Cmd-C on Mac or Ctrl-C on Windows.

Mongodb user verification login

Run Mongodb with access control In a new terminal run:

1
mongod --auth --port 27017 --dbpath /data/db1

Now there are two ways to verify the identity of the user. The first way is similar to MySql. The second one is to specify the username, password, and database name when the client connects.

1
mongo --port 27017 -u "admin" -p "password" --authenticationDatabase "admin"

After the client connects, verify it again.

1
2
3
4
5
6
mongo --port 27017

use admin
db.auth("admin", "password")

// Output 1 means successful verification

How to create a simple user?

Let’s continue on with this article about Mongodb creating database username and password and let’s take one step more to understand how to create a simple user. This process is similar to creating an administrator account, but the role is different.

1
2
3
4
5
6
7
8
9
10
use foo

db.createUser(
  {
    user: "simpleUser",
    pwd: "simplePass",
    roles: [ { role: "readWrite", db: "foo" },
             { role: "read", db: "bar" } ]
  }
)

Now we have a simple user Username: simpleUser Password: simplePass Permissions: read and write database foo, read-only database bar.

Please Note: Using foo means that the user is created in the foo library. Therefore, the foo library must verify the identity, ie the user’s information follows the database. Although the simpleUser named above has permission to read the bar library, it must first authenticate in the foo library. Direct access leads to a validation error.

1
2
3
4
5
use foo
db.auth("simpleUser", "simplePass")

use bar
show collections

Another thing to keep in mind is that, by default, the connection method still has super permissions when there are no users in the administration library, even if users are created in other databases.

MongoDB Database Roles

Built-in roles

Database user role: read, readWrite Database management roles: dbOwner, dbAdmin, userAdmin Cluster management roles: clusterManager ,clusterAdmin, hostManager , clusterMonitor Backup recovery role: restore, backup All database roles: readWriteAnyDatabase , readAnyDatabase, dbAdminAnyDatabase , userAdminAnyDatabase Superuser role: root // There are several roles that provide indirect or direct access to the system superuser (userAdmin, dbOwner, userAdminAnyDatabase) Internal role: system

Role descriptions

Read: Allow users to read the specified database. readWrite: Allow the user to read and write to the specified database userAdmin: Allows users to write to the system. users collection. You can create, delete, and manage users in the specified database. clusterAdmin: Available only in the administrator database, which gives the user administrator rights to all shards and replication set related functions. dbAdmin: This allows the users to run administrative functions in a specified database, such as, creating an index, viewing statistics , deleting, , or accessing system profile. readAnyDatabase: is only available in the administrator database and give the user read access to all databases. userAdminAnyDatabase: is only available in the Administrator database and give all databases userAdmin permissions. readWriteAnyDatabase: is only available in the administrator database and give the user read and write permissions to all databases. dbAdminAnyDatabase: is only available in the administrator database and give the user dbAdmin rights for all databases. Root: This is only accessible in the admin database. Super account, great resolution

Conclusion

When using the database, we must be aware of security risks. Due to the default configuration of Mongodb, the database is at risk of intrusion and must be prevented by creating database usernames and passwords. If you’re worried that your database security is not configured properly please reach out to us at Object Rocket and your data will be in safe hands.

Pilot the ObjectRocket Platform Free!

Try Fully-Managed CockroachDB, Elasticsearch, MongoDB, PostgreSQL (Beta) or Redis.

Get Started

Keep in the know!

Subscribe to our emails and we’ll let you know what’s going on at ObjectRocket. We hate spam and make it easy to unsubscribe.